Versions Compared

Old Version 36

changes.mady.by.user Christoph Meier

Saved on

compared with

New Version Current

changes.mady.by.user Christoph Meier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Permissions to issue REST requests are controlled using Magnolia's standard role-based security mechanism.

Table of Contents

Security strategy

Multiexcerpt
MultiExcerptNamegeneral-security-advice

REST endpoints are a powerful tool but can also make your site very vulnerable. Make sure you understand how to implement a strong security strategy to safeguard your system.

Web access security

Web access security is checked by the 

Javadoc resource link
classNameinfo.magnolia.cms.security.URISecurityFilter
renderTypeasynchronous
. The filter checks whether the role(s) of the requesting user allow to the user to request a given path with given method.

...

JCR access security is checked on every endpoint which that reads or writes JCR data.

...

Role-based access to specific commands are configured in the rest-services module: /modules/rest-services/rest-endpoints/commands/enabledCommands/ 

Include Page
_What is a command
_What is a command

...

If the endpoint triggers commands, the command definition grants access via specifically defined roles defined per command:


HTTP
method		Web access security required

JCR access security


Specific role based security

delivery GET

/.rest/delivery/

{workspace}/v1

*

Read-only access for
a path on a workspace
the delivery API path-
nodes GET

/.rest/nodes/v1/{workspace}/{path}

Read-only access for a path on a workspace-
PUT

/.rest/nodes/v1/{workspace}/{path}

Read/Write access for a path on a workspace-
POST

/.rest/nodes/v1/{workspace}/{path}

Read/Write access for a path on a workspace-
DELETE/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
properties GET/.rest/nodes/v1/{workspace}/{path}Read-only access for a path on a workspace-
PUT/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
POST/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
DELETE/.rest/nodes/v1/{workspace}/{path}Read/Write access for a path on a workspace-
commands POST/.rest/commands/v2/{catalogName}/{command}-required

REST roles

The REST module installs four default roles with the following permissions:

  • rest-admin – The REST administrator role grants GET/POST permissions to all Magnolia's REST APIs.
  • rest-editor  The REST editor  – The REST editor role grants GET/POST permissions to REST services APIs (nodes, properties), for a limited set of workspaces.
  • rest-anonymous   The REST anonymous consumer consumer role grants GET permissions to Magnolia's content delivery REST API.
  • rest-backup   – The REST backup role backup role grants permission to execute the backup command from a running Magnolia instance.

Multiexcerpt include
MultiExcerptNamerest-role-permissions
nopaneltrue
PageWithExcerptDefault permissions

...

Magnolia recommends you create custom REST roles granting specific access for specific use cases.

There is no "one size fits all" recipe. Create the custom roles according to your needs. However here are a few recommendations.

The custom roles you create depend on your individual project requirements. In general, we recommend you:

  • First deny everything, then specifically grant only First deny everything. Second grant specifically what is required.
  • Avoid to grant granting write permissions to on JCR workspaces for anonymous userusers.
  • Create distinct different roles for distinct each use casescase.